Most Read Contributor in South Korea, January 2017
On June 30, 2016, various South Korean government agencies
including the Korea Communications Commission, the Financial
Services Commission, the Ministry of the Interior, the Ministry of
Health and Welfare, and the Ministry of Science, ICT and Future
Planning promulgated the Guidelines for De-Identification of
Personal Information (the "Guidelines"). The Guidelines
are effective as of July 1, 2016, and are expected to impact
various industries, not limited solely to the IT sector.
With these Guidelines, the relevant government agencies have
made their position clear that de-identified data does not fall
within the legal scope of "Personal Information" defined
under the current personal-information protection laws. The
Guidelines are expected to positively impact the use of big data by
various industries including the IT, finance (fintech), and medical
industries, as the use of de-identified personal information is now
clearly allowed without any consent.
The Guidelines set out standards and procedures for the proper
de-identification of personal information, particularly in order to
reduce any uncertainties involved in the utilization of big data.
More specifically, the Guidelines divide the de-identification
process into four steps as follows;
Pre-Review of the Data: First, it
should be determined whether the data in question falls within the
legal definition of "Personal Information" or not. If it
does not, such data may be utilized without de-identification.
De-Identification Process: If the
data in question is determined to be "Personal
Information," various de-identification methods can be used to
remove "Personal Information Identifiers" from the data.
De-identification methods may include pseudonymization,
aggregation, data reduction, data suppression, data masking and
Appropriateness Evaluation: An
outside evaluator should objectively evaluate whether such
de-identification has been appropriately completed or not, based on
the "K-anonymity" model. Upon a positive evaluation, the
de-identified data can be used for big-data purposes and provided
to other parties.
Follow-up Actions: It should be
ensured that the de-identified data is not abused or misused, and
is securely protected with proper managerial and technical security
As there have been concerns in connection with the processing
and utilization of big data due to the absence of specific guidance
on the appropriate de-identification process, these Guidelines are
expected to promote further development of the big-data industry in
Korea—which is already rapidly growing—by dispelling
However, it is important to comply with the Guidelines and to
take proper managerial and technical security measures, as a breach
of the Guidelines—especially re-identification of
de-identified data and provision of such data to others—may
constitute a violation of the relevant personal-information
protection laws which may result in up to 5 years in jail and a
maximum fine of KRW 50 million. Also, although the Guidelines seem
to loosen the regulations affecting big data, it is still crucial
for all business entities in South Korea to comply with the
relevant laws and take all necessary steps to securely protect
personal information obtained in the course of their business,
particularly as the general tendency of personal-information
protection laws in South Korea is to get stricter every year.
Originally published in ICT Legal Update 2016.07
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
With the increase in usage of technology in businesses, the ease of doing business has undoubtedly gone up, but this also presents certain concerns including the protection of personal information and data.
Section 43A of the Information Technology Act, 2000 addresses the penalties for non-compliance by a recipient of Protected Data under the I.T. Rules.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).